Skip to content

update artifactory docs to reflect some archeobot changes #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update artifactory docs to reflect some archeobot changes #262

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions src/docs/build-deploy-and-maintain-apps/setup-artifactory-service-account.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ sort_order: 8
---

# Set up an Artifactory service account
Last updated: **January 30, 2024**
Last updated: **July 17, 2024**

Artifactory access is controlled through Artifactory service accounts. Service accounts are meant to be shared by teams and used by automation tools like pipelines.

Expand All @@ -35,37 +35,36 @@ An Artifactory service account is not required to make use of the remote (cachin
- **[Create a service account](#create-a-service-account)**
- **[Access a service account](#access-a-service-account)**
- **[Delete a service account](#delete-a-service-account)**
- **[Change a service account password](#delete-a-service-account)**
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the link here

- **[Related pages](#related-pages)**

---

## Create a service account

If you have a project established in either the Silver or Emerald clusters, an Artifactory service account is already available. An `ArtifactoryServiceAccount` object is generated in the corresponding `tools` namespace, and the Artifactory Operator handles its configuration. A default `ArtifactoryServiceAccount` object is automatically created during namespace provisioning, identified by the name `default`. You are also free to create additional Artifactory service accounts if needed.

If your project is established in the Gold clusters, you will need to create your own Artifactory service account as no default one is provided. This is because you are responsible for managing the synchronization of any necessary secrets between the Gold and Gold DR clusters. Archeobot, the operator overseeing the creation and maintenance of `ArtifactoryServiceAccount` objects, operates solely in Gold and not in Gold DR. You must initiate the creation of the `ArtifactoryServiceAccount` object in the Gold cluster, and Archeobot will generate the associated objects (such as your pull secrets) in your Gold namespace. The responsibility lies with your team to synchronize these secrets with Gold DR.
If you need a service account, you will need to create your own service account in all clusters - no default account is provided. If you are working in the Gold and Gold-DR clusters, you will need to perform all provisioning tasks in the Gold cluster. This is because you are responsible for managing the synchronization of any necessary secrets between the Gold and Gold DR clusters. Archeobot, the operator overseeing the creation and maintenance of `ArtifactoryServiceAccount` objects, operates solely in Gold and not in Gold DR. You must initiate the creation of the `ArtifactoryServiceAccount` object in the Gold cluster, and Archeobot will generate the associated objects (such as your pull secrets) in your Gold namespace. The responsibility lies with your team to synchronize these secrets with Gold DR.

Run the following command to create a new service account:

```bash
oc process -f https://raw.githubusercontent.com/bcgov/platform-services-archeobot/master/archeobot/config/samples/tmpl-artifactoryserviceaccount.yaml -p NAME="[ASAname]" -p DESCRIPTOR="[Description of Service Account]" | oc create -f -
```

The `ASAname` refers to the name of the ArtifactoryServiceAccount object, not the actual account. The Platform Team recommends choosing a name that reflects how you plan to use the account. For instance, if you're creating an account specifically for your Tekton pipeline, a suitable name could be `tekton` for the Artifactory Service Account object. This results in a secret named `artifacts-tekton-[random]` and an account named `jenkins-[namespace]-[random]`. There's no need to worry about name collisions with other teams; your account name incorporates your namespace plate (the six alphanumeric characters preceding `-tools`, `-dev`, `-test`, or `-prod` in the namespace name). Even if another team named their ArtifactoryServiceAccount `jenkins`, they have a distinct name.
The `ASAname` refers to the name of the ArtifactoryServiceAccount object, not the actual account. The Platform Team recommends choosing a name that reflects how you plan to use the account. For instance, if you're creating an account specifically for your Tekton pipeline, a suitable name could be `tekton` for the Artifactory Service Account object. This results in two secrets named `artifacts-tekton-[random]` and `artifacts-pull-tekton-[random]`, and an account named `tekton-[namespace]-[random]`. There's no need to worry about name collisions with other teams; your account name incorporates your namespace plate (the six alphanumeric characters preceding `-tools`, `-dev`, `-test`, or `-prod` in the namespace name). Even if another team named their ArtifactoryServiceAccount `tekton`, they have a distinct name.

Once Archeobot reconciles your changes, you can utilize this account to access Artifactory.

## Access a service account

To gather the random license plate assigned to the end of each `ArtifactoryServiceAccount` name and obtain additional details, execute `oc describe artsvcacct default`. This command provides information about the reconciliation status and other account details. If you require assistance with the Artifactory service account object, make sure to include both the spec and status information in your support ticket.
To gather the random license plate assigned to the end of each `ArtifactoryServiceAccount` name and obtain additional details, execute `oc describe artsvcacct [ASAname]`. This command provides information about the reconciliation status and other account details. If you require assistance with the Artifactory service account object, make sure to include both the spec and status information in your support ticket.

**Note**: `ArtifactoryServiceAccount` objects have two available short-names to make them easier to use in the CLI: `ArtSvcAcct` and `ArtSA`.

You can get the username and password out of the secret using the following command:

```bash
oc get secret/artifacts-default-[random] -o json | jq '.data.username' | tr -d "\"" | base64 -d
oc get secret/artifacts-default-[random] -o json | jq '.data.password' | tr -d "\"" | base64 -d
oc get secret/artifacts-[ASAname]-[random] -o json | jq '.data.username' | tr -d "\"" | base64 -d
oc get secret/artifacts-[ASAname]-[random] -o json | jq '.data.password' | tr -d "\"" | base64 -d
```

## Delete a service account
Expand All @@ -77,13 +76,13 @@ You can use the following command to accomplish it:

After completing this process, Archeobot takes care of relevant cleanup tasks, including secrets generated for you. If you attempt to delete the default service account, a new one will be recreated. It's important to note that Archeobot only manages the cleanup of secrets it has generated specifically for you. If you have created any secrets independently using this account's information, such as a secret in Gold DR, you will need to delete that secret manually.

### Missing ArtifactoryServiceAccount Secret: How to resolve the issue
## Change a service account password

If you have unintentionally deleted the secret for your Artifactory service account, follow the commands above to delete the ArtifactoryServiceAccount object. Archeobot will detect the deletion of the object and subsequently remove the service account from Artifactory.
If you wish to change the password of your Artifactory service account, simply delete one of `artifacts-tekton-[random]` or `artifacts-pull-tekton-[random]`. Archeobot will detect this, delete the other secret, change your service account password and then generate two new secrets (with the same naming pattern) containing your new password.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's remove "tekton" from the sample service account name. Maybe replace it with "ASAname", as in the command examples above?


If you delete the default service account this way, a new one will automatically be created for you. Otherwise, you're free to create a new service account using the steps outlined in [Create a service account](#create-a-service-account). This will create for you a new service account with new secrets that you can use.
Because the name of your pull secret has now changed, you may need to update references to this pull secret in your BuildConfigs or Deployments. You can find more information about this in our [Pull artifacts from Artifactory](../build-deploy-and-maintain-apps/push-pull-artifacts-artifactory.md) documentation.

Keep in mind that this is a _new_ account, and that you will need to re-add this account to your Artifactory Project(s), if necessary. Instructions for this can be found in our [Setup an Artifactory project and repository](../build-deploy-and-maintain-apps/setup-artifactory-project-repository.md) documentation.
Don't forget to update any related secrets that you have copied into other namespaces!

---
## Related pages
Expand Down
Loading